Splunk Enterprise Security

How to modify data model in CIM without doing so directly in CIM?

lukasmecir
Path Finder

Hello,

I have a question about modification of data model in CIM:

I would like to add one child dataset to DM "Change". Can I do it by separate application?

What I mean exactly: If I create a modified Change.json file with a new dataset, place it to separate app (eg. my_change_dm) and place this app to $splunk_home/etc/apps directory - will my modified JSON file merge with Change.json in Splunk_SA_CIM app?
Or is there another way to modify DM in CIM without modifying it directly in the Splunk_SA_CIM app?

I know that I can modify DM directly in Splunk_SA_CIM, but for some reason I need to make some research.
Thank you very much for any info.

Regards,
Lukas Mecir

Labels (1)
0 Karma
1 Solution

woodcock
Esteemed Legend

You don't need your own app, but definitely do not edit the existing datamodel. Just clone it and call it something like Change_Clone and then do whatever you would like. Keep them totally separate and only use the clone.

View solution in original post

0 Karma

woodcock
Esteemed Legend

You don't need your own app, but definitely do not edit the existing datamodel. Just clone it and call it something like Change_Clone and then do whatever you would like. Keep them totally separate and only use the clone.

0 Karma

lukasmecir
Path Finder

Hi Gregg, thank you for your answer. Just for clarification - the cloned data model "Change_Clone" will not be used by out-of-the-box reports and dashboards etc. in Splunk ES, because they are not aware of it (they are aware of out-of-the-box DM "Change" only), am I right? This is not problem for me now, I just would like clarify this.

0 Karma

woodcock
Esteemed Legend

Yes, you are correct but the majority of use-cases in Splunk require adjusting and tuning to work right for each client so you are most-likely going to modify just about everything that you use in ES anyway so changing from one datamodel to another is not a big deal.

0 Karma

lukasmecir
Path Finder

And another question - when you say "do not edit the existing datamodel", what do you exactly mean? Do you mean that I should not change Change.json file in Splunk_SA_CIM/default dir, or I should not change it at all (even if I change it by putting modified Change.json to Splunk_SA_CIM/local dir)?

0 Karma

woodcock
Esteemed Legend

Correct. Do not change the JSON files. Changing datamodels.conf is fine.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Try it. It should work, except I believe you'll need to define the entire data model in your custom JSON file since I doubt Splunk will merge them. Be sure to name your app so it comes before Splunk_SA_CIM. Also, be aware that your changes will trump any future updates to that DM by the CIM app.

---
If this reply helps you, Karma would be appreciated.
0 Karma

lukasmecir
Path Finder

Thank you for your answer. I tried and you are right - entire DM must be defined in custom app and Splunk do not merge content of JSON files.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...